Electronic Communications Privacy Act (ECPA)

Top News

EPIC Challenges Samsung's Surveillance of the Home, Files FTC Complaint: EPIC has filed a complaint to the Federal Trade Commission about Samsung's SmartTvs. "Samsung routinely intercepts and records the private communications of consumers in their homes," EPIC wrote. EPIC detailed widespread consumer objections and charged that "privacy notices" do not diminish the harm to American consumers. In setting out the privacy violations, EPIC cited the FTC Act, the Children's Online Privacy Protection Act, The Cable Act, and the Electronic Communications Privacy Act. EPIC also noted a recent speech of FTC Chair Edith Ramirez about privacy and consumer products. EPIC asked the FTC to enjoin Samsung and other companies that engage in similar practices. (Feb. 24, 2015)

Privacy Case Moves Forward Against Facebook and Zynga: The Ninth Circuit found that the companies may have violated Facebook's privacy policies when they disclosed user information for advertising purposes. Separately, the court ruled that there was no violation of the Electronic Communications Privacy Act because the data disclosed (including Facebook IDs and HTTP referers) is not "contents" of a communication. Congress is set to consider several ECPA reforms, and could fix the court's ruling by making clear that the law prevents the disclosure of personally identifiable information. For more information, see EPIC: Electronic Communications Privacy Act and EPIC: Facebook Privacy. (May. 9, 2014)

Texas Bill to Require Warrants for E-mail Searches Awaits Governor's Signature: The Texas legislature has passed H.B. No. 2268, a bill that creates a warrant requirement for law enforcement access to stored electronic communications and customer data. The law, which was presented to Governor Rick Perry this week, is the first successful state effort to establish an across-the-board warrant requirement for stored communications. Congress is considering similar changes to the federal Electronic Communications Privacy Act. Others have proposed more sweeping privacy reforms, and there are bills in both the House and Senate that would establish location privacy protections. EPIC testified before the Texas Legislature on H.B. 1608, a location privacy companion to H.B. 2268. For more information, see EPIC: Electronic Communications Privacy Act and EPIC: Locational Privacy. (May. 29, 2013)

Senator Leahy Sets Out Judiciary Committee Agenda for New Congress: On January 16, 2013, Georgetown University Law School hosted Senator Patrick Leahy (D-VT), the chairman of the Senate Judiciary Committee. Leahy set out the agenda of the Judiciary Committee in the 113th Congress, vowing to commit the Committee to addressing "out most fundamental rights, and our most basic freedoms." Updates to key legislation, including laws on e-mail privacy and cybersecurity, are included in the Committee's agenda. The Chairman explained that the Committee would also address the need for oversight of US counterterrorism programs as well as privacy issues involved with the growing use of domestic surveillance drones. Furthermore, Senator Leahy emphasized the importance of open government as an American value, promising to "continue to fight for transparency that keeps the government accountable to the people." For more information, see EPIC: Electronic Communications Privacy Act, EPIC: Open Government, and EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones. (Jan. 17, 2013)

Background

Introduction to ECPA

The Electronic Communications Privacy Act ("ECPA") was passed in 1986 to expand and revise federal wiretapping and electronic eavesdropping provisions. It was envisioned to create "a fair balance between the privacy expectations of citizens and the legitimate needs of law enforcement." Congress also sought to support the creation of new technologies by assuring consumers that their personal information would remain safe.

ECPA includes the Wiretap Act, the Stored Communications Act, and the Pen-Register Act. Wire communication refers to "any aural transfer made in whole or in part through the use of facilities for the transmission of communications by the aid of wire, cable, or other like connection"; in short, it refers to phone conversations. An oral communication is "any oral communication uttered by a person exhibiting an expectation that such communication is not subject to interception under circumstances justifying such expectation"; this constitutes any oral conversation in person where there is the expectation no third party is listening.

Individuals who violate ECPA face up to five years of jail time and a $250,000 fine. Victims are also entitled to a civil suit of actual damages, in addition to punitive damages and attorney's fees. The United States itself cannot be sued for a violation, but evidence that is gathered illegally cannot be introduced in court.

Prohibition on Interception of Communications

ECPA does include important provisions that protect a person's wire and electronic communications from being intercepted by another private individual. In general, the statute bars wiretapping and electronic eavesdropping, possession of wiretapping or electronic eavesdropping equipment, and the use or disclosure of information unlawfully obtained through wiretapping or electronic eavesdropping. The Wiretap Act prohibits any person from intentionally intercepting or attempting to intercept a wire, oral or electronic communication by using any electronic, mechanical or other device. To be clear, an electronic device must be used to perform the surveillance; mere eavesdropping with the unaided ear is not illegal under ECPA.

There are exceptions to this blanket prohibition, such as if the interception is authorized by statute for law enforcement purposes or consent of at least one of the parties is given. Although some states prohibit the recording of conversations unless all parties consent, ECPA requires only one party consent; an individual can record his own conversation without violating federal law. In the workplace, an employer would likely not violate ECPA by listening to an employee's communications if, for example, blanket consent was given as part of the employee's contract.

In addition to criminalizing the actual wiretapping or electronic eavesdropping, ECPA also prohibits an individual from disclosing such information obtained illegally if the person has reason to know that it was obtained illegally through the interception of a wire, oral, or electronic communication. Similarly, if a person cannot lawfully disclose a lawful law enforcement wiretapping and if he has reason to know that doing so will obstruct a criminal investigation.

Prohibition on Access of Communications

While the Wiretap Act addresses the interception of communications, the Stored Communications Act addresses access to stored communications at rest. In the modern context, this primarily refers to e-mails that are not in transit. The Act makes it unlawful to intentionally access a facility in which electronic communication services are provided and obtain, alter, or prevent unauthorized access to a wire or electronic communication while it is in electronic storage in such system. This statute also makes exceptions for law enforcement access and user consent.

As with other forms of communication protected under ECPA, an employer is generally forbidden from accessing an employee's private e-mails. However, if consent is given in the form of an employment contract that explicitly authorizes the employer to access e-mails, it may be lawful under ECPA for him to do so.

Pen Registers and Trap and Trace

Pen registers and trap and trace devices provide non-content information about the origin and destination of particular communications. Because this information does not contain the content of the communication, it is subject to lesser restrictions than actual content. The Supreme Court has long held that there is no reasonable expectation of privacy in this information because the telecommunications company has ready access to it; in fact, the company must utilize this information to ensure the communications are properly routed and delivered. The Pen-Register Act covers pen registers/trap and trace.

In the context of phone calls, Pen-Registers display the outgoing number and the incoming number. Because e-mail subject lines contain content, their use on e-mails, per revisions in the USA PATRIOT Act, must include the sender and addressee, but avoid any part of the subject. IP addresses and port numbers associated with the communication are also fair game under the Act.

The regulations specifically apply to "devices" that capture this information. Thus, ECPA generally prohibits the installation or use of any device that serves as a pen register or trap and trace. Amendments in the USA PATRIOT Act allow the term devices to also encompass software.

Also, unlike provisions relating to the interception and access of communications, there is no statutory exclusionary rule that applies when the government illegally uses a pen register/trap and trace device. And there is no private cause of action against the government for violations of this law.

Disclosure of Records

ECPA lays out guidelines for law enforcement access to data. Under the Stored Communications Act, the government is able to access many kinds of stored communications without a warrant.

The following table illustrates the different treatment of the contents of an email at various times:

In addition to the specific government exceptions outlined above, there is other information that the government is empowered to collect from communications providers in the form of customer records. Under § 2703, an administrative subpoena, a National Security Letter ("NSL"), can be served on a company to compel it to disclose basic subscriber information. Section 2703 also allows a court to issue an order for records; whether an NSL or court order is warranted depends upon the information that is sought.

An NSL can be used to obtain the name; address; local and long distance telephone connection records, or records of session times and durations; length of service (including start date) and types of service utilized; telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and means and source of payment for service (including any credit card or bank account number) of a subscriber. Although the breadth of information that can be gathered with an NSL is quite large, and was dramatically expanded with the USA PATRIOT Act, none of this information is supposed to include content.

All other non-content customer records have to be obtained by a court order under § 2703(d). These include transactional records such as "addresses of web sites visited by the customer and e-mail addresses of other individuals with whom the account holder has corresponded." Although an order for these materials is issued by a court, the court is not issuing a warrant based upon probable cause. Instead, § 2703(d) requires only that there be "specific and particularly facts showing that there are reasonable grounds to believe" that the records requested are "relevant and material to an ongoing criminal investigation."

As was stated, ECPA itself does not prohibit the disclosure of customer records to third parties. When the third party is the government, ECPA expressly permits the service provider to share customer records "if the provider reasonably believes than an emergency involving immediate danger of death or serious physical injury to any person justifies disclosure of the information." This authorization is found in § 2702 and was added as part of the USA PATRIOT Act. In practice, it allows law enforcement to forgo even the minimal burden of a subpoena or a court order and claim there is an emergency that necessitates the records being turned over. Although it is voluntary for the provider to act under this provision, many do in practice.

Reform

ECPA embodies many important and useful protections, but much has changed since ECPA was passed in 1986; from personal computing to the Internet and now the ubiquity of mobile devices, much of today's technology (and even much of yesterday's) was not conceived when the law was first drafted. ECPA has been amended several times, but has not been significantly modified since becoming law.

ECPA regulates when electronic communications can be intercepted, monitored, or reviewed by third parties, making it a crime to intercept or procure electronic communications unless otherwise provided for under law or an exception to ECPA. ECPA defines "electronic communication" as "any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce." This definition focuses on the transfer of the data - the time during which the packets of data are traveling between one point and the other. This creates and "on the wire" versus "off the wire" distinction that is becoming more difficult as technology advances.

ECPA case law is confused in part due to the sharp distinctions drawn between communications in transit and those that are being stored. What was once an clear distinction - particularly with wireline telephones - is now incredibly complex. For example, the packets that make-up a single e-mail are broken apart, transit multiple servers and routers, and are then recombined and stored on remote servers. It is unclear how ECPA applies to these packets: whether the email is in transit, and therefore governed by Title I, or in "electronic storage" and governed by Title II. Title I, the Wiretap Act, and Title II, the Stored Communications Act, have vastly different standards and requirements, which creates uncertainty for users, law enforcement, and the courts.

The adoption of cloud computing, while offering many benefits (such as convenience and ease of access), makes the need for ECPA reform more urgent. Whereas an e-mail stored on a home computer would be fully protected by the 4th Amendment warrant requirement, only the Sixth Circuit has ruled that all e-mail stored on a remote, cloud computing server is protected. More and more information, including documents, e-mails, pictures, personal calendars, and locational data is being stored in the cloud. Much of this data has little or no protection under current law. Protections for locational data, in particular, have been widely discussed, but, to date, have not been added.

The 180 day distinction within ECPA is also the subject of much criticism. When ECPA was passed in 1986, web-based e-mail, such as Gmail, did not exist. Instead, e-mail primarily existed in local intranets where clients would download their messages from the server and the server would, generally, not keep a backup. Congress presumed that any e-mails left on the server for more than 180 days should be treated like abandoned property. This distinction, however, is no longer as relevant today when customers have access to nearly unlimited cloud storage.

Congress has held several hearings on reforming ECPA, with technology companies and digital rights groups lobbying for clear standards that are adaptable to technological advances. Law enforcement has questioned the need to ECPA reform, fearing that reforms could decrease their ability to acquire digital information in a timely manner.

On March 19, 2013, Senators Patrick Leahy and Mike Lee introduced the "Electronic Communications Privacy Act Amendments Act of 2013," which was reported favorably to the Senate by the Committee on the Judiciary on April 25, 2013, with an amendment from Sen. Leahy. The bill makes clear that a governmental entity may require disclosure of the contents of an electronic communication "only if the governmental entity obtains a warrant ... that is issued by a court of competent jurisdiction directing the disclosure." This would eliminate the "180-day rule" and the distinction between opened and unopened e-mails for the purposes of law enforcement access. The bill would also impose stricter notice requirements to ensure that any user whose communications are subject to a warrant will be notified promptly.